This is used for auth tokens that are expected to expire (e.g., SSO).
An auth.TokenManager instance may be passed to the driver instead of a static auth token.
import (
"context"
"github.com/neo4j/neo4j-go-driver/v5/neo4j"
)
type myTokenManager struct {}
func (m *myTokenManager) GetAuthToken(ctx context.Context) (neo4j.AuthToken, error) {
// [...] see API documentation for details
}
func (m *myTokenManager) OnTokenExpired(ctx context.Context, token neo4j.AuthToken) error {
// [...] see API documentation for details
}
driver, err := neo4j.NewDriverWithContext("neo4j://example.com:7687", &myTokenManager{})
// [...]
The easiest way to get started is using the provided TokenManager
implementation. For example:
import (
"context"
"fmt"
"github.com/neo4j/neo4j-go-driver/v5/neo4j"
"github.com/neo4j/neo4j-go-driver/v5/neo4j/auth"
"time"
)
myProvider := func(ctx context.Context) (neo4j.AuthToken, *time.Time, error) {
// some way of getting a token
token, err := getSsoToken(ctx)
if err != nil {
return neo4j.AuthToken{}, nil, err
}
// assume we know our tokens expire every 60 seconds
expiresIn := time.Now().Add(60 * time.Second)
// Include a little buffer so that we fetch a new token *before* the old one expires
expiresIn = expiresIn.Add(-10 * time.Second)
// note: we can return nil instead of `&expiresIn` if we don't expect the token to expire
return token, &expiresIn, nil
}
driver, err = neo4j.NewDriverWithContext(getUrl(), auth.ExpirationBasedTokenManager(myProvider))
// [...]
Note
This API is explicitly not designed for switching users.
In fact, the token returned by each manager must always belong to the same
identity. Switching identities using the AuthManager is undefined behavior.
2) Session Auth
For the purpose of switching users, sessions can be configured with a static
auth token. This is very similar to impersonation in that all work in the
session will be executed in the security context of the user associated with
the auth token. The major difference is that impersonation does not require or
verify authentication information of the target user, however it requires
the impersonating user to have the permission to impersonate.
Note
This requires Bolt protocol version 5.3 or higher (Neo4j server 5.8+).
ADR 012: re-authentication
This PR introduces two new auth mechanics for different use-cases 1) Auth Rotation 2) Session Auth (a.k.a. user switching)
Note that all APIs introduced in this PR are previews See https://github.com/neo4j/neo4j-go-driver/#preview-features
1) Auth Rotation
This is used for auth tokens that are expected to expire (e.g., SSO).
An
auth.TokenManager
instance may be passed to the driver instead of a static auth token.The easiest way to get started is using the provided
TokenManager
implementation. For example:Note
This API is explicitly not designed for switching users. In fact, the token returned by each manager must always belong to the same identity. Switching identities using the
AuthManager
is undefined behavior.2) Session Auth
For the purpose of switching users, sessions can be configured with a static auth token. This is very similar to impersonation in that all work in the session will be executed in the security context of the user associated with the auth token. The major difference is that impersonation does not require or verify authentication information of the target user, however it requires the impersonating user to have the permission to impersonate.
Note This requires Bolt protocol version 5.3 or higher (Neo4j server 5.8+).